point of sale data security

Read on to find out 3 questions every POS value added reseller should ask their ISV partner about integrated payments.

Question 1: Is your POS application in-scope of PA-DSS?

If the POS application is in-scope of PA-DSS, then the VAR must become QIR certified pursuant to the new rules being put in place by Visa. Being QIR certified is much more involved than simply passing a test. On the other hand, there are certain semi-integration payment technologies in the market today which utilize a payment terminal to process the transaction and completely remove the POS application from the scope of PA-DSS and PCI-DSS compliance. Implementing a semi-integrated payment terminal is very similar to implementing a standalone payment terminal and does not necessarily require the VAR to be QIR certified.

Question 2: Which SAQ (A, A-EP, B, B-IP, C, C-VT, P2PE-HW, D) will merchants utilizing your system be subject to if your system is the only one they utilize to process credit and debit card payments?

Acquirers require merchants in their portfolio to validate compliance with the PCI DSS. As part of validating compliance, most small and medium sized merchants must complete a Self Assessment Questionnaire (SAQ) that was developed by the Payment Card Industry Security Standards Council. SAQ C and D are the most common SAQ for merchants using POS systems with integrated payments. These SAQs are also the most challenging and because of this merchants often times end up misrepresenting the truth on the questionnaire in order to get a passing grade. On the other hand, merchants that are subject to SAQ B-IP or SAQ P2PE-HW have a much easier time completing the questionnaire in a forthright manner and receiving a passing grade. Selling a system that subjects the merchant to SAQ B-IP or P2PE-HW gives the VAR a competitive advantage in the marketplace.

Question 3: Are you EMV live today?

Many POS systems are “EMV Ready” but not yet live with EMV. Being EMV ready generally means the POS system has performed an integration with a solution which includes EMVCo certified level 1 and 2 kernels, but has not obtained an end to end EMV certification with the card brands (often referred to as level 3 certification). On the other hand, systems that are live with EMV are actively able to support EMV transactions in a production environment. Deploying systems that are not yet EMV live can be problematic for the VAR and the end user since the end user has a higher chance of suffering EMV related chargebacks, is a greater target for data security thieves and the VAR will have more work to do in the future to eventually convert the system from EMV ready to live.

Join Our Newsletter